Whonix ™ comes with many security features. Whonix ™ is Kicksecure ™ Hardened by default and also provides extensive Documentation including this System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction[edit]

It is possible to significantly harden the Whonix ™ and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

• To remain anonymous, follow all the Whonix ™ recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
  • A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
    • At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
• Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
• Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
• Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
• Utilize OnionShare to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. ^[1]

Command Line Operations[edit]

• Do not run commands unless they are completely understood -- first refer to a suitable Whonix ™ wiki resource if available.
• If root privileges are required, run the command with sudo rather than logging in as root or using sudo su. ^[2]
  • Consider disabling the root account permanently. ^[3]
  • To prevent malware sniffing the root password, before performing administrative tasks that require root access, create an admin user account with sudo permissions.
  • Prefer sudoedit for better security when editing files. ^[4]
• Defeat login spoofing by using the Secure Access Key ("Sak"; SysRq + k) procedure.
• Consider enabling SysRq "Security Keys" functionality as insurance against system malfunctions -- this assists in system recovery efforts and limits the potential harm of a malware compromise.

Disabling and Minimizing Hardware Risks[edit]

• Unplug external devices when not needed.
• Consider disabling microphones where possible (muting on the host) or better, physically removing them.
• Since speakers (all audio output devices) can be turned into microphones, if possible, physically remove speakers on the host and remove/disable the beeper. ^[5]
• Preferably detach webcams or even better, physically cover webcams with a sticker or switch unless they are in use.
  • If using Qubes-Whonix ™, assign the webcam to an untrusted VM (if needed).
• Avoid using wireless devices, since they are insecure.
• Preferably disable or remove Bluetooth hardware modules.
• Disable or remove problematic devices like ExpressCard, PCMCIA, FireWire or Thunderbolt which may allow attackers with physical access to read RAM.
• Do not enable audio input to any VM unless strictly required.
• Apply CPU microcode updates ^[6]. ^[7]
• Consider restricting hardware information to the root user in Whonix ™. ^[8]
• In Qubes-Whonix ™, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required).

Entropy[edit]

• To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.
  • From Debian 10 ("Buster"), jitterentropy-rngd is available; see footnote. ^[9]
  • haveged also uses CPU timer jitter to generate entropy and additional entropy sources cannot hurt; see footnote. ^[10]

File Handling[edit]

• In File Manager, disable previews of files from untrusted sources. Change file preferences in the Template's File Manager so future App Qubes inherit this feature.
• Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM: Right-click → Open In DisposableVM
• Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF to prevent exploitation of the PDF reader and potential infection of the VM.

File Folder Permissions[edit]

• Linux user account nobody has no special meaning.
• Also linux user group nogroup has no special meaning either.
• Therefore the user should avoid running programs under user nobody and/or group nogroup as well as avoid setting file or folder permissions to that user / group.

^[11]

File Storage Location[edit]

• Avoid storing files directly in the root home folder and create appropriate sub-folders instead.
• Move files downloaded by Tor Browser from the ~/Downloads folder to another specially created one. ^[12]

Mandatory Access Control[edit]

• Enable all available apparmor profiles in the Whonix-Workstation ™ and Whonix-Gateway ™ Templates.
• Enable seccomp on Whonix-Gateway ™ (sys-whonix ProxyVM).

Mobile Devices[edit]

• Since the mobile devices security best practices for risk mitigation are often difficult / infeasible to adhere to, it might be easier to physically move all mobiles devices to a distant physical location such as a different room and close the door and/or to power off mobile devices.

Passwords and Logins[edit]

• Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
• Use a trusted password manager (KeePassXC) ^[13], so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. ^[14]
• For high-entropy passwords, consider using Diceware passphrases. ^[15]
• In Qubes-Whonix ™, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. ^[16]
• Read and follow all the principles for stronger passwords.

Screensavers[edit]

• At a minimum, lock the screen of the host when it is unattended.
• For better security, shut down the computer entirely -- screensavers are notoriously insecure. ^{[17] [18]}

Secure Downloads[edit]

• Download Internet files securely using scurl instead of wget from the command line.
• When downloading with Tor Browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar.
• Prefer onion services file downloads, which provide greater security and anonymity than https.

Secure Qubes Operation[edit]

• Refer to the Qubes-Whonix ™ security recommendations and always follow the latest security news and advice from the Qubes team.

Secure Software Installation[edit]

• Default to Debian's official package manager APT for installing software, and avoid third party package managers.
• When possible, use mechanisms which simplify and automate software upgrades and installations, like apt functions.
• Prefer installation of software from signed (Debian) GNU/Linux repositories and avoid manually installing software, particularly if it is unsigned.
• Set the Qubes, Debian and Whonix ™ package updates to Tor onion service repositories. ^[19]
• For safer installations or updates, first stop all activity/applications and rotate the Tor circuits .
• Always verify key fingerprints and digital signatures of signed software before importing keys or installing software.
  • Avoid using keyservers if possible.
  • It is safer to securely download the key from a source that is logically connected to the owner, if possible, outside the keyserver model. ^[20]

Updates[edit]

• Operating System Updates: It is crucial to regularly check for operating system updates on the host operating system, and both the Whonix-Workstation ™ and Whonix-Gateway ™.
• Stay tuned: It is absolutely crucial to subscribe to and read the latest Whonix ™ news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements. Follow Whonix ™ Developments.
• Debian Security Announcements: Since Whonix ™ is based on Debian, users should consider subscribing to the Debian security announcement mailing list to stay informed about the latest security advisories. See also chapter Debian Security Announcements.

Tor Browser Series and Settings[edit]

• Prefer the stable Tor Browser release over the alpha series in line with Tor developer recommendations; see footnotes. ^{[21] [22] [23] [24]}
• Run the Tor Browser Security Slider in the highest position. ^[25]
• Disable Javascript by default and only allow it sparingly for trusted sites. ^[26]
• Do not configure custom NoScript (per-site) settings which persist across successive Tor Browser sessions because this aids fingerprinting.
• Use .onion services where possible to stay within the Tor network, such as defaulting searches to the DuckDuckGo onion service. ^[27]
  • Consider setting HTTPS Everywhere user rules to consistently utilize .onion resources instead of clearnet domains for the Whonix ™ main page, homepage, forums, download page, phabricator site, and Debian repository.
• Use multiple Tor Browser instances or multiple Whonix-Workstation ™ to better compartmentalize contextual identities.
• Follow all other Whonix ™ recommendations for safe and anonymous use of Tor Browser.
• Install Tor Browser outside of Whonix ™ so a second, working instance is always available for anonymous activities. ^[28]

Virtual Machines[edit]

All Virtualizers[edit]

• Remove the virtual audio controller to VMs from getting access to a microphone (eavesdropping risk) or speaker (profiling threat).

VirtualBox[edit]

• Remove a host of VirtualBox features to reduce the attack surface.
• Take regular, clean VM snapshots that are not used for any activities.
• Spoof the initial virtual hardware clock offset.
• Consider disabling clipboard sharing to reduce the risk of identity correlation. ^[29]
• Shared folders are discouraged because they weaken isolation between the guest and the host. ^[30]

Warrant Canary[edit]

• Learn more about warrant canaries -- see Whonix ™ Warrant Canary (forum discussion) and limitations of warrant canaries.

Moderate[edit]

Create a USB Qube[edit]

• Prepare and safely utilize a USB qube. ^{[31] [32]}
• Configure a disposable sys-usb.

Host Operating System Distribution[edit]

• For a truly private operating system, install GNU/Linux on the host. ^[33]
• The Debian distribution is recommended by Whonix ™ as providing a reasonable balance of security and usability.
  • Consider installing the Kicksecure ™ Debian derivative, since it has considerable security hardening by default. ^[34]

Host Operating System Hardening[edit]

All Platforms[edit]

• Use Full Disk Encryption (FDE) on the host.
• Apply a BIOS password for BIOS setup and boot.
• Torrify APT traffic on the host to prevent fingerprinting and leakage of sensitive security information.
• Follow all other Whonix ™ recommendations to further harden the host OS against physical attacks.

Non-Qubes-Whonix Only[edit]

• Harden the host Debian Linux OS.

Kernels / Kernel Modules[edit]

• To benefit from additional protections, ^[37] consider installing newer kernels.
  • On the host Linux platform.
  • In Whonix ™ VMs.
  • Qubes: in dom0 and in Qubes VMs (see Qubes VM Kernel). ^{[38] [39] [40]}
• Consider installing the Linux Kernel Runtime Guard (LKRG) kernel module for improved detection and protection against common kernel exploits. ^[41]
• In Qubes-Whonix ™, consider installing the tirdad kernel module to protect against TCP ISN-based CPU information leaks. ^{[42] [43]}
• Advanced users can undertake host kernel hardening to significantly increase security and privacy.

Live-mode[edit]

• Consider running Whonix ™ with Live Mode in a VM or even better in Whonix ™ as HOST os, so all writes go to RAM instead of the hard disk.
  • If Debian is run as the host OS, consider also booting into Live Mode.
• Disable swap and program crash dumps as an anti-forensics precaution.
• When using Live Mode in a VM, consider enabling read-only hard drive mode to make it harder for malware to gain persistence. ^[44]

Memory Allocator[edit]

• Consider installing a hardened memory allocator ('Hardened Malloc') to launch regularly used applications. ^[45]

Networking[edit]

All Platforms[edit]

• If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
• If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network). ^[46]
• Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
• Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
• WiFi users should default to the WPA2-AES or WPA3 standard; the protocols are safer and have stronger encryption. ^{[47] [48]}
• Follow all other Whonix ™ recommendations to lock down the router.
• Disable TCP SACK to limit the risk of remote DoS and other attacks.

Qubes-Whonix ™ Only[edit]

• Prefer the Debian Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not "ping home", unlike the Fedora Template. ^[49]
• Consider using customized minimal templates for NetVMs to reduce the attack surface and memory requirements. Four options are currently available:
  • CentOS ^[50]
  • Debian. ^[51]
    • Debian can optionally be morphed into a Kicksecure ™ Template for greater security.
  • Fedora ^[52]
  • Gentoo
• For greater security, higher performance and a lower resource footprint, consider using an experimental MirageOS-based unikernel firewall that can run as a QubesOS ProxyVM.
• Consider utilizing OpenBSD for sys-net to reduce the attack surface. ^[53] See also other OpenBSD considerations.

Sandboxing[edit]

• Consider using Firejail to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications -- note this comes with an increased fingerprinting risk and any vulnerability in Firejail can allow escalation to root privileges. ^[54]
• In a future Non-Qubes-Whonix ™ release, consider using sandbox-app-launcher (Sandboxed Application Launcher) to restrict applications within a bubblewrap sandbox and confined by AppArmor. ^[55]

Spoof MAC Addresses[edit]

• In Qubes-Whonix ™, follow these steps to spoof the MAC address on the Debian or Fedora Template used for network connections.
• In Non-Qubes-Whonix ™, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.

Time Related[edit]

• Non-Qubes-Whonix ™ only: Disable ICMP timestamps and TCP timestamps on the host operating system to prevent leakage of information. ^[56]
• Non-Qubes-Whonix ™ only: Uninstall the NTP client on the host operating system and disable systemd's timdatectl NTP synchronization feature. ^[57]
• Prevent possible time leaks by blocking networking until sdwdate finishes.

Tor Settings[edit]

• Consider enabling Tor connection padding for potentially better anonymity; note it is unclear whether this provides any additional benefit (see footnote). ^[58]
• Consider installing newer Tor versions directly from The Tor Project repository.
• Avoid regenerating the Tor state file or manually rotating Tor guards ^[59] because it degrades anonymity.
• Avoid configuring non-persistent entry guards, as this severely degrades anonymity.
• Consider using Bridges if Tor is censored, dangerous or deemed suspicious in your location.
• If using a bridge, configure alternating bridges for different physical locations.
• Heavily censored users should configure a meek-azure bridge with Anon Connection Wizard. ^[60]
• To help preserve anonymity, copy Tor configuration files and settings to any new sys-whonix instance which is created. ^[61]

Whonix ™ VM Security[edit]

• Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway ™ and Whonix-Workstation ™.
• Consider hardening systemcheck.
• Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
  • If a compromise of Whonix-Gateway ™ and/or Whonix-Workstation ™ is suspected, follow the compromise recovery instructions.

Difficult[edit]

Anti-Evil Maid[edit]

• Consider the Android Haven application for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. ^[62]
• If a Trusted Platform Module (TPM) is available, enable it in BIOS/UEFI and configure the required services to protect against Evil Maid Attacks.
  • Qubes-Whonix ™: Utilize AEM protection to attest that only desired (trusted) components are loaded and executed during the system boot. ^[63]
• See Kicksecure ™ AEM Documentation

Chaining Anonymizing Tunnels[edit]

• Avoid this course of action. The anonymity benefits are unproven and it may actually hurt a user's anonymity and security goals.
• Virtual Private Network (VPN) tunnel-links are strongly recommended against due to multiple security and anonymity risks.

DisposableVMs[edit]

• Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting. ^[64]
• Configure each ServiceVM as a static DisposableVM to mitigate the threat from persistent malware accross VM reboots. ^[65]
• Until fully ephemeral DisposableVMs are available by default in a future Qubes release, advanced users can consider configuring them manually:
  • Unman's guide to ephemeral DisposableVMs creates a RAM-based storage area.
  • anywaydense's guide to ephemeral PVH DisposableVMs encrypts data written to the disk with an ephemeral encryption key only stored in RAM.

Email[edit]

All Platforms[edit]

• Follow the Whonix ™ recommendations to select an email provider compatible with privacy and anonymity.
• For anonymous PGP-encrypted email over Tor, use Mozilla Thunderbird. ^[66]
• For greater email or message security, consider using the OneTime application or a Physical One-time Pad for military-grade encryption.
• Follow all other email principles for greater safety.

Qubes-Whonix ™ Only[edit]

• Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
• Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
• Only open untrusted email attachments in a DisposableVM to prevent possible infection.

Ethernet/FDDI Station Activity Monitor[edit]

• Consider running ArpON as a daemon to defend against ARP attacks like ARP spoofing, ARP cache poisoning and ARP poison routing. ^[67]
• Consider utilizing Arpwatch to be alerted about any changes to the database of Ethernet MAC addresses seen on the network. ^[68]

Flash the Router with Opensource Firmware[edit]

• Flash the insecure, limited-utility, proprietary firmware on the router with a powerful, open-source GNU/Linux alternative.

Mix Personal Tor Traffic with Own Tor Bridge or Relay[edit]

• See Host a Bridge or Tor Relay; this configuration might make adversary classification of Tor traffic more difficult. ^[69]

Multi-Factor User Authentication[edit]

• Set up two-factor authentication (2FA) to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations.
• Configure PAM USB as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
• For secure account logins, utilize a Nitrokey hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
  • Qubes: Check the YubiKey (will be not much different from Nitrokey) instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

Systemd Sandboxing[edit]

• Create drop-in .conf files to sandbox systemd services.

Whitelisting Tor Traffic[edit]

• Qubes-Whonix ™: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. ^{[70] [71]}
• Non-Qubes-Whonix ™ or Qubes: Use a standalone corridor as a filtering gateway.

Expert[edit]

Disable Intel ME Functionality[edit]

• It is possible to partially deblob Intel's despicable ME firmware image by removing unnecessary partitions from it.
• Alternatively, Intel ME's "High-Assurance Platform" mode can be set manually to disable most ME capabilities.

Disable SUID-enabled Binaries[edit]

• Consider enforcing the SUID Disabler and Permission Hardener to increase the security of the system; see here for instructions. ^[72]

Opensource Firmware[edit]

• Libreboot is no longer recommended as a proprietary firmware alternative; see footnote. ^[73]
• Coreboot is a possible BIOS/UEFI firmware alternative -- consider purchasing hardware that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.
  • Note: The open Qubes ticket on Research support for libreboot/coreboot-based systems makes the opensource firmware recommendation generally unsuitable for Qubes-Whonix ™ at present.
  • Exception: Several laptops meet Qubes' Certified Hardware requirements and are configured with Coreboot, Heads and a partially disabled Intel Management Engine.

Physical Isolation[edit]

• If additional hardware is available, consider Physical Isolation in Non-Qubes-Whonix ™. ^[74]

Footnotes[edit]